Modern computing networks provide access to a wide variety of computing resources such as data archives, search engines, data processing, data management, communications, electronic marketplaces, as well as media and entertainment services. As the number and size of such computing resources, and their user communities, have grown and become more sophisticated, a need has arisen to establish increasingly sophisticated usage policies. For example, such policies may include policies that address security, privacy, access, regulatory and cost concerns. However, conventional approaches to policy enforcement have drawbacks.
For example, conventional approaches to policy enforcement can be ad hoc, limited to a particular type of computing resource and/or limited to a particular set of policy controls. In heterogeneous computing environments incorporating even a modest number of computing resource types, an ad hoc approach can be a significant administrative burden. In addition, some conventional approaches scale poorly as the number of computing resources grows large. Small administrative and/or performance inefficiencies can become problematic at larger scales. Some conventional approaches lack a centralized policy management service which can hamper consistent policy management in distributed computing environments. Some conventional approaches are limited to centralized policy management, which can be insufficiently flexible in response to changing requirements.
Policy set complexity can also be a problem for some conventional approaches to policy enforcement. For example, policy administrators may have difficulty implementing a desired policy in practice, even when it is possible in theory. Policies may be inconsistently enforced by different computing resource types. The specification of a particular policy may have unanticipated and/or unintended consequences. Furthermore, it is becoming increasingly common to provision such computing resources with virtual computing resource providers. In such cases, computing resource administrators may not have control over, or direct access to, computing hardware or other infrastructure that implements the provisioned computing resources. In some conventional approaches to policy enforcement, such environments can hinder acquisition of sufficient diagnostic information to efficiently resolve policy enforcement problems.
Same numbers are used throughout the disclosure and figures to reference like components and features, but such repetition of number is for purposes of simplicity of explanation and understanding, and should not be viewed as a limitation on the various embodiments.